Xerox Security

Mirai botnet attack

A recent Distributed Denial of Service (DDOS) attack has been attributed to the Mirai botnet which harnesses Internet of Things (IoT) devices and other network devices to send massive amounts of data to targeted sites for purposes of forcing them offline.

A recent Distributed Denial of Service (DDOS) attack has been attributed to the Mirai botnet which harnesses Internet of Things (IoT) devices and other network devices to send massive amounts of data to targeted sites for purposes of forcing them offline.

What You Need To Know?

A report on the attack by Brian Krebs lists a number of different IoT devices and their default administrative passwords that are thought to have been involved in the attack. Xerox is mentioned in the list.

What is Xerox Doing About This?

Xerox has studied the botnet source code and determined that it cannot successfully attack any Xerox device. The two services the botnet uses, telnet and SSH, to open a command line are not supported.

Impact

Xerox devices may be targeted but cannot be successfully attacked. See below for recommendations on what you can do to prevent your Xerox device from being controlled by unauthorized individuals.

What Should You Do?

Don’t connect your Xerox device directly to the public Internet. Make sure it’s behind a firewall or router so that only you and your users have access to it. This keeps outsiders from accessing the machine and interrupting your business. Please check with your IT department if you’re unsure.

Don’t leave the administrator’s password set to the default. Change it so that unauthorized individuals can’t easily guess it and take control.

Choose a password that is at least 8 (eight) characters in length with a combination of letters, numbers and special characters.

Never share the administrator’s password with anyone who does not have a legitimate need to know.

Xerox Security Information, Bulletins and Advisory Responses

To find the security information for your product, please select your product family and product below. You will then see a search results page with links to PDFs. Adobe Acrobat Reader is required to view these files.

"Email Consent Letter" Malicious Emails
Recently, we have seen malicious emails which are “spoofing” or masquerading as originated from an official Xerox Corporation “newsletter” service which are spear-phishing campaigns. These emails contain a variety of information that makes them appear as if they come from an actual Xerox newsletter service, offering recipients the ability to opt-out of receiving future marketing emails by clicking on links that do not lead to any legitimate Xerox site.

Recently, we have seen malicious emails which are “spoofing” or masquerading as originated from an official Xerox Corporation “newsletter” service which are spear-phishing campaigns. These emails contain a variety of information that makes them appear as if they come from an actual Xerox newsletter service, offering recipients the ability to opt-out of receiving future marketing emails by clicking on links that do not lead to any legitimate Xerox site.

Some words or text caption for the malicious links may be misspelled, such as “Unsuscribe” instead of “Unsubscribe”.

These emails can be blocked by mail servers and detected by many anti-virus scanners. However, some still manage to get through and you should be aware of the patterns.

What is Xerox Doing About This?

Xerox is continuing to monitor the situation and is working with government and law enforcement agencies where appropriate.

Impact

Check with your IT Department to make sure they are aware of these spear-phishing campaigns. Only open scan to email files that are sent from a reliable, identifiable, and verifiable source. If you have any doubt about the origin of these or any e-mails, check with your IT Department.

What Should You Do?

Turning off the software upgrade capability and cloning feature is strongly recommended until a patch is available. Only install software obtained directly from Xerox. Only clone device settings using trusted media that has been under physical control. Do not allow unauthorized persons to perform hardware maintenance on any device.

Xerox recommends that all devices be connected to a firewall or router and not directly connected to the public Internet. Make sure the administrator password is not left at the default value. Do not share the device administrator password with anyone who doesn’t have a need to know.

Patches for the 6700 will be available the week of 8/15/2016 and patches for the 7800 will be available Q4 2016.

Phaser 6700 Vulnerability
Security researchers Peter Weidenbach and Raphael Ernst from the Fraunhofer Institute have reported a vulnerability in the Phaser 6700 and Phaser 7800 that may allow an attacker to install arbitrary software on the device using specially-crafted software upgrade modules or clone files (used to transfer settings from device to device). They also demonstrated an vulnerability related to a memory card on the internal device controller board.

Security researchers Peter Weidenbach and Raphael Ernst from the Fraunhofer Institute have reported a vulnerability in the Phaser 6700 and Phaser 7800 that may allow an attacker to install arbitrary software on the device using specially-crafted software upgrade modules or clone files (used to transfer settings from device to device). They also demonstrated an vulnerability related to a memory card on the internal device controller board.

What You Need To Know?

The first vulnerability could allow malicious software to be installed on the affected products. Disabling the software update capability and cloning feature will prevent this from being exploited. The second vulnerability requires the machine to be partially disassembled, the memory card altered and then returned to the machine. To prevent this do not allow unauthorized persons to perform hardware maintenance on any device.

What is Xerox Doing About This?

Xerox has consulted with the researchers on these vulnerabilities in the affected products to determine the best way to mitigate them. Patches for the 6700 and 7800 are now available.

Impact

Exploiting the first vulnerability requires a specially-crafted software upgrade module or clone file, however a hacker toolkit is available that automates some of this process. The second vulnerability requires physical access to the internal device controller board.

What Should You Do?

Turning off the software upgrade capability and cloning feature is strongly recommended until a patch is available. Only install software obtained directly from Xerox. Only clone device settings using trusted media that has been under physical control. Do not allow unauthorized persons to perform hardware maintenance on any device.

Xerox recommends that all devices be connected to a firewall or router and not directly connected to the public Internet. Make sure the administrator password is not left at the default value. Do not share the device administrator password with anyone who doesn’t have a need to know.

Don’t connect your Xerox device directly to the public Internet. Make sure it’s behind a firewall or router so that only you and your users have access to it. This keeps outsiders from accessing the machine and interrupting your business. Please check with your IT department if you’re unsure.

Don’t leave the administrator’s password set to the default. Change it so that unauthorized individuals can’t guess easily guess it and take control.

Choose a password that is at least 8 (eight) characters in length with a combination of letters, numbers and special characters.

Never share the administrator’s password with anyone who does not have a legitimate need to know.

Enable SSL/TLS and validate any certificates used with the device. Information on this can be found in the appropriate Secure Installation and Operation document for your device. Use the Xerox Security Information, Bulletins and Advisory Responses section below to find those guides and to access other security-related information, including important bulletins regarding software updates.

Glibc DNS Vulnerability
A vulnerability in the glibc system library used on many Linux systems has been reported. This vulnerability affects the Domain Name System (DNS) functionality on the target system.

A vulnerability in the glibc system library used on many Linux systems has been reported. This vulnerability affects the Domain Name System (DNS) functionality on the target system.

What You Need To Know?

This vulnerability carries the designation of CVE-2015-7547 and is rated Medium. The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack. Customers can reduce any risk by limiting the response size accepted by your local DNS resolver, or limit DNS queries to your internal DNS servers.

What is Xerox Doing About This?

Xerox is continuing to monitor the situation and has completed an investigation of its devices. Vulnerability is limited to ConnectKey devices, and patches will be made available in Q2 2016. ConnectKey models include CQ93xx, CQ8700, CQ8900, WC3655, WC58xx, WC59xx, WC6655, WC72xx, WC78xx, WC7970. No other products are affected.

Impact

Exploiting this vulnerability requires both a vulnerable client and attacker with their own modified DNS server. Attacks are most likely to occur with attackers within the local network. It is not currently known if this can be accomplished over the Internet. Patching clients and servers is recommended when patches are available.

What Should You Do?

The glibc system library is used primarily by Linux systems and all major distributions have updates available. Systems should be restarted once this update is installed. Windows, Mac OS X and other operating systems that don’t use glibc are not affected.

Xerox recommends that all devices be connected to a firewall or router and not directly connected to the public Internet. Limiting the response size accepted by your local DNS resolver, or limit DNS queries to your internal DNS servers will reduce risk.

Xerox will publish information on patch availability as they are available.

BEAST Vulnerability In SSL/TLS
A vulnerability in the SSL/TLS protocol was reported in 2011. This vulnerability could allow an attacker to view unencrypted network traffic.

A vulnerability in the SSL/TLS protocol was reported in 2011. This vulnerability could allow an attacker to view unencrypted network traffic.

What You Need To Know?

This vulnerability carries the designation of CVE-2011-3389 and is rated Medium. It relies on a weakness in CBC mode that requires changing how blocks are split before sending. This could enable an attacker to set up a Man-In-The-Middle attack. It is specifically a client vulnerability and has been patched in all client software, including web browsers and operating systems, since 2013. Some security scanning tools will flag this vulnerability in Xerox products but it can no longer be exploited.

What is Xerox Doing About This?

Xerox is posting this in case you see a warning from your security scanner. You may ignore these warnings.

Impact

Impact All affected client software and operating systems were patched in 2013.

What Should You Do?

No action is required. There is no patch planned for Xerox products.

Logjam Vulnerability in OpenSSL
A vulnerability in the OpenSSL library for SSL/TLS has been reported. This is called Logjam and affects secret key exchange when using older methods.

A vulnerability in the OpenSSL library for SSL/TLS has been reported. This is called Logjam and affects secret key exchange when using older methods.

What You Need To Know?

The Logjam vulnerability is designated CVE-2015-4000 and is rated Medium.

Please note that it can take anywhere from hours to days for an attacker to break the keys used depending on how much computing power they have available. Once broken, the key can be used to mount a man-in-the-middle attack where server keys are reused.

Exploiting this vulnerability requires both a vulnerable client and server along with a server that reuses keys, a dedicated attacker and access to computing resources to break the key. Attacks are most likely to occur in places with public network access such as airports or shops that provide WiFi hotspots. Patching clients and servers is recommended when patches are available.

This vulnerability also affects Apple mobile and desktop systems, Google’s Android mobile systems and Microsoft Windows. Users of these systems should install the appropriate patches. Patching either the client or server will be sufficient to prevent this from being exploited.

FREAK Vulnerability In OpenSSL
A vulnerability in the OpenSSL library for SSL/TLS has been reported. It can allow an attacker to execute a man-in-the-middle attack against vulnerable systems that support older key exchange methods. This vulnerability is called FREAK for “Factoring attack on RSA-EXPORT Keys”.

A vulnerability in the OpenSSL library for SSL/TLS has been reported. It can allow an attacker to execute a man-in-the-middle attack against vulnerable systems that support older key exchange methods. This vulnerability is called FREAK for “Factoring attack on RSA-EXPORT Keys”.

What You Need To Know?

The FREAK vulnerability carries the designation of CVE-2015-0204 and is rated Medium. It takes advantage of support of old secret key exchange methods that were put in place to meet 1990s export laws. These methods are no longer recommended for use but some SSL/TLS implementations may still support them.

Please note that it can take anywhere from hours to days for an attacker to break the keys used depending on how much computing power they have available. Once broken, the key can be used to mount a man-in-the-middle attack where server keys are reused.

Exploiting this vulnerability requires both a vulnerable client and server along with a server that reuses keys, a dedicated attacker and access to computing resources to break the key. Attacks are most likely to occur in places with public network access such as airports or shops that provide WiFi hotspots. Patching clients and servers is recommended when patches are available.

This vulnerability also affects Apple mobile and desktop systems, Google’s Android mobile systems and Microsoft Windows. Users of these systems should install the appropriate patches. Patching either the client or server will be sufficient to prevent this from being exploited.

A vulnerability in the OpenSSL library for SSL/TLS has been reported. This vulnerability allows an attacker with an untrusted certificate to spoof other websites.

What You Need To Know?

This vulnerability carries the designation of CVE-2015-1793 and is rated High. It only affects OpenSSL versions starting with 1.0.1n and 1.0.2b. Earlier 1.0.x versions and the 0.9.8 branch are not affected. This vulnerability allows an attacker with an untrusted TLS certificate to be treated as a certificate authority and spoof another website. Attackers can use this scenario to redirect traffic, set up man-in-the-middle attacks, phishing schemes and anything else that compromises supposedly encrypted traffic.

What is Xerox Doing About This?

Xerox conducted an investigation of its devices and servers and determined that no Xerox product is affected.

Impact

Due to the severity, patching clients and servers is recommended when patches are available.

What Should You Do?

Please check with your IT department to determine if patches are needed for your system.

No additional actions are required.

“Scanned from a Xerox Multifunction” Malicious Emails
Recently, we have seen malicious emails which are “spoofing” or masquerading as originated from a Xerox device in both public and private sectors, which are spear-phishing campaigns. These emails contain a variety of information that makes them appear as if they come from an actual Xerox devices; these emails were not originated from a Xerox device.

Recently, we have seen malicious emails which are “spoofing” or masquerading as originated from a Xerox device in both public and private sectors, which are spear-phishing campaigns. These emails contain a variety of information that makes them appear as if they come from an actual Xerox devices; these emails were not originated from a Xerox device.

These emails can be blocked by mail servers and detected by many anti-virus scanners. However, some still manage to get through and you should be aware of the patterns.

Valid Email from a Xerox Device resembles the following:

The “From” field will contain a machine name (i.e. [email protected]) and not a user’s name. Xerox devices create image files such as TIFF and PDF, they do not create any .ZIP or .EXE files.

What is Xerox Doing About This?

Xerox is continuing to monitor the situation and is working with government and law enforcement agencies where appropriate.

Impact

As with any malicious emails and spear-phishing attacks/campaigns, these can contain links or attachments which can cause harm.

What Should You Do?

Check with your IT Department to make sure they are aware of these spear-phishing campaigns. Only open scan to email files that are sent from a reliable, identifiable, and verifiable source. If you have any doubt about the origin of these or any e-mails, check with your IT Department.